While working with a large e-commerce client on a China-based project, we realized their server had been hacked. After gaining unauthorized access, the intruder created cron jobs to restart the server. The goal was to reboot the server so that it runs their malicious code. We think that this was a typical takeover attempt, where the server is used as a DDoS zombie or as part of a zombie crypto miner network.
So how does someone go about investigating this? Read more from Aleksandar Pavic's article on LinkedIn. He nicely breaks down how to quickly locate the attacker. Security upgrades are in progress.